Java, ActiveX security elusive

A Java security bug discovered this week by Sun Microsystems(SUNW) is a reminder that completely safe networking is a contradiction in terms.

Just as Microsoft's Internet products have been hit by a series of embarrassing security mishaps in recent weeks, Java is not immune to security holes that could let hackers into a user's computer. But even though it's not impregnable, most security experts still regard Java as fundamentally more secure than other kinds of executable code, most prominently Microsoft's ActiveX technology.

As previously reported by CNET, the latest Java bug involved the Java Virtual Machine's "byte code verifier," a piece of software that sits between the network and the JVM, according to James Gosling, a Sun vice president and creator of the Java language.

Gosling said the bug could be exploited by a hacker to crash the JVM, the engine that powers Java applets through Web browsers and other applications. He added that bug could conceivably result in something worse, such as the deletion of a file on a user's PC, but added that it would be technically difficult to perform such an action.

"To even exploit this thing requires some pretty serious rocket science," Gosling said. "Almost everything you can do with it amounts to crashing the virtual machine."

From the ground up, Java was created to operate in a network environment. The JVM contains a "security manager" that cordons off Java programs from an operating system, preventing them from potentially dangerous actions such as writing to or deleting files from a user's hard disk.

Of course, having access to all of the capabilities of a user's PC has its benefits. Essentially, this is Microsoft's argument in saying ActiveX is more functional than Java. ActiveX technology is an architecture that allows miniature programs written in any programming language to run through Microsoft's Internet Explorer browser. Instead of being hamstrung by a sandbox, ActiveX programs can do virtually anything a programmer can dream up, including erasing your hard drive.

"We think that ActiveX is exciting but dangerous and have made a company commitment to Java [and] JavaBeans," said Martin Huber, CEO of software developer Ediidea.

Microsoft has tried to lessen the risk for users by allowing ActiveX programs to be stamped with a digital signature that identifies who created the program. Though many security experts believe the "trust" security model of ActiveX works well in a desktop environment, they say it's much riskier on the Internet.

"As a compiled executable, [ActiveX] assumes it is in a secure environment," said Stan Dolberg, director of software strategies at Forrester Research. "Java was designed with the assumption it would be going over the Net. Java has its weaknesses, but it's design criteria was that it would have to be secure."

Indeed, Java doesn't provide hacker-proof protection against attacks. Computer science researchers discovered several bugs in early versions of the JVM that could allow hackers to sneak past Java's security manager. One of the researchers, Edward Felten of Princeton University, has coauthored a book documenting some of the security holes in Java.

Sun discovered the latest security bug itself during a routine check of the JVM. Yesterday, the company issued patches to the more than 70 vendors that license the technology, including Netscape Communications, IBM, and Microsoft.

A Microsoft spokeswoman said that the Java bug does not affect Windows 95 and NT versions of its browser. It does affect the Macintosh version of Explorer though.